Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Legal, Risk & Compliance Practice
Regaining Control of
Corporate Information
November 2, 2012
SCCE Southwest Regional Compliance & Ethics Conference
2
2
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
THE BUZZ BEHIND THE BUZZWORDS
Select Information- and Technology-Related Developments Affecting Companies Size According to Number of Search Hits
The recent introduction
and acceleration of
numerous information
technology developments
dramatically change the
landscape of corporate
information risk.
■ CEB research indicates that
legal & compliance
executives worry most about:
– Growth of unstructured
data
– Cloud computing
– Remote access to
information
– Employee negligence
and misconduct
– Personal devices in the
workplace
Source: Google.com, “Google Analytics,” 21 August 2012, http:/ /www.google.com/analytics; GCR Information Risk Survey, 2012.
Information security
Information governance
Record
s m
anagem
ent
Security breach
Data
securi
ty
Server vulnerabilities
Data breach Data privacy
Social media Unstructured data
SaaS Cyber attack
Business intelligence
BYOD
E-discovery
Cloud computing
Privacy b
y D
esig
n
Advanced persistent threats
Hacktivis
m
GPS tracking
Mobile computing B
reach n
otifi catio
n
Electronic records
Near field communication
IPv6
Corp
ora
te c
loud
Collaboration tools
3
3
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
SIGNIFICANT COSTS OF INFORMATION AND
TECHNOLOGY INCIDENTS
Select Examples of Information and Technology Incidents and Their Impact
Failure to adequately
control corporate
information can lead to
significant direct
financial, regulatory, and
reputational costs for
companies.
■ According to a recent
survey, 90% of organizations
experienced at least one data
breach in the past year.
■ In addition, depending on
the type of information lost,
damage to brand value can
range from 12%–22%.
■ These costs do not
account for any managerial
opportunity costs or
productivity loss arising
from the incident.
Source: “ Perceptions About Network Security,” Ponemon Institute, June 2011; “Reputation Impact of a Data Breach,” Ponemon Institute, October 2011.
Employee Theft—
Prior to leaving
Zynga, four employees took
proprietary materials through USB
storage devices and personal e-
mail accounts. Zynga lost control of
its business “playbook” and “secret
sauce” to a direct competitor.
Hacktivism—In
retaliation for a
suit Sony filed against one of its
customers, hacker group LulzSec
released the account and credit card
information of almost 100 million
Sony customers, driving an
estimated $1.5 billion in lost revenue.
Executive Officer
Embarrassment—After the
CEO of GoDaddy released
a graphic video of himself shooting and
killing an elephant, PETA launched a
campaign to boycott GoDaddy’s services.
Outraged customers shut down their
accounts, resulting in more than 20,000
account closures and millions of dollars in
lost revenue.
Customer Data Loss—In 2010,
after Zurich Insurance lost the
personal details of 46,000
customers, including, in some cases, their
bank and credit card information, UK’s
Financial Services Authority fined the
company more than $3.5 million for failing
to maintain an adequate system of controls.
Selling Customer Data—In
2011, a Seoul court ordered
SK Broadband, a high-speed internet
provider, to pay its customers W 4 billion
(US$3.35 million) for illegally collecting
and selling customer information to a
telemarketing company. Additionally, in
the last few years, 23,000 customers
have filed class-action lawsuits against
the company.
Cyberhackers—
In 2010, Honda
Canada lost information for more
than 4.9 million customers to
cyberhackers, incurring significant
financial costs, including a class-
action lawsuit claiming $200+
million in damages.
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
EFFECT OF DEVELOPMENTS ON RISK EXPOSURE
Perceived Influence on Risk: New
Risks Adding to Existing Risks Illustrative
Many teams incorrectly
consider the most
commonly adopted
technology
developments as
new risks.
■ Rather than create new risks,
many technological
developments (e.g., personal
devices, social media, cloud
computing) actually serve as
channels that magnify existing
risks.
Increased Impact and Likelihood of Existing Risks
“It’s difficult to stay on top of legal risks related to
electronically-stored information. Now in
addition to that risk, we have to worry about
social media, privacy issues, mobile devices,
etc.—this is particularly difficult to manage as a
smaller company.”
General Counsel
Paper Manufacturing Company
“Companies need to break down and categorize
assets and risks. Most companies start from
scratch, which isn’t necessary. The trend itself
may vary, but there’s a commonality between
past experiences and current issues—there’s
no need to re-invent the wheel.”
Chief Legal Officer
Semiconductor Industry
C
B
A
3
2
1 1 Potential data breach
2 Disclosure of company confidential information
3 Violations of privacy regulations
4 Personal devices in the workplace
5 Social media
6 Cloud computing
Greater Number of Risks to Protect Against = =
Social
media
Cloud
computing
Potential
data breach
Violations
of privacy
regulations
Disclosure
of company
confidential
information
Personal
devices in
the
workplace
Actual Influence on Risk:
New Developments Multiplying Existing Risks Illustrative
4
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
AMPLIFYING THE RISK CALCULUS
Effect of New Information Technology Developments
New technology
developments magnify
the impact and likelihood
of risks companies
already assess.
■ The increased volume and
variety of interactions as a
result of personal devices
multiply existing records-
and discovery-related risks.
■ Employee access to social
media magnifies traditional
risks by increasing the
speed, audience, and scope
of each risk.
■ As the vast majority of
companies eventually shift to
cloud computing services,
third-party risks will increase.
Risk = Information Technology Multiplier x (Impact x Likelihood)
Source: www.internetworldstats.com, December 2011; CIO Executive Board research; Information Risk Executive Council research; General Counsel Roundtable research.
Information Technology Multiplier x (Impact x Likelihood)
Personal Devices
Computers, telephones, recorders,
and other electronic devices owned
and used by people to communicate,
share, organize, and consume
information.
Volume
Increase in the volume
of person-to-person
interactions creates
more opportunities for
data leakage.
Variety
Growing person-to-
platform interactions cause
greater security risks.
Social Media
Forms of electronic communication
through which users create online
communities to share information,
ideas, personal messages, and
other content.
Speed and Audience
2.3 billion web users can
instantly read anything
employees or customers
post, with viral
transmissions magnifying
small mistakes into
globally visible ones.
Scope
■ Blurred lines between
personal and
professional worlds
■ Employees communicate
with contacts many
times per month instead of
an average of once per
year.
WWW
Cloud Computing
Delivery of computing over a network
(such as the Internet), whereby
computers and other devices access
shared resources, software, and
information on demand.
Severity
Seventy-seven percent
of IT leaders rate the risk
of data leakage from a
cloud very or extremely
significant.
Third Parties
Information Security
officers rank vendor
staff misconduct as one of
the top five potential cloud
computing flaws.
Traditional View of Risks
Risk = Impact x Likelihood
5
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
EVERYTHING OLD IS NEW AGAIN
Existing Risks Affected by New Information Technology Developments Selected
The risks of new
technology developments
surface as some of
the most common
information management
risks already concerning
legal and compliance teams.
■ The risk of disclosing
sensitive information in
social media is similar to
that of e-mail but with a
greater impact due to the
unique characteristics of
social media.
■ In 2012, 50% of CIOs plan to
allow employees to use
personal devices in the
workplace; however, fewer
than 20% of companies we
surveyed have a process in
place for retaining business
records on employees’
personal mobile devices.
■ Most cloud service providers
offer standard terms that
include a general outline of
services, limit warranties and
indemnities, and shift risks to
customers.
Source: CIO Executive Board research; Information Risk Executive Council research; General Counsel Roundtable research.
Risk Personal Devices Social Media Cloud Computing
Violation of records management policies
and schedules
Loss of availability of information
Third-party vendor misconduct
Violation of workplace rights
Unauthorized access to or
disclosure of personal information
Violation of HR policies
Storage of information on
insecure sites or restricted locations
Inability to produce
data for discovery requests
Loss of intellectual property or company
confidential information
Non-compliance with legal or regulatory
requirements
6
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
INCREASING RISK EXPOSURE
Effect of Technology Developments on Companies’ Exposure to Information-Related Risks Illustrative
Rapidly adopted
technology developments
increase the likelihood of
and overall exposure to
information-related risks.
■ Most companies identify
acceptable levels of
information risk exposure
and appetite against which they
currently manage
(though Legal, Compliance and
other assurance functions tend
to disagree with the business
on where to set it).
■ These technology
developments collectively push
companies’ risk
exposure beyond acceptable
(and manageable) levels.
Deg
ree o
f In
form
ati
on
Ris
k E
xp
os
ure
LRC Risk
Appetite
Previous Risk
Exposure
New Risk
Exposure
Sensitivity of Data and Intended Use
Increased Exposure Due to New Developments
■ Personal devices in the workplace
■ Personal/employee use of social media
■ Corporate use of social media and collaboration tools
■ Cloud computing
■ Third-party/vendor access to information
■ Remote access to information
High
Low
Business’s Risk
Appetite
Zone of Peril
Zone of Tension
Zone of Tolerance
Low High
7
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
REFINING OUR ROLE IN INFORMATION RISK Legal and Compliance
must refocus their
efforts to address the
risk multiplying effects
of new technologies
and overcome the
shortcomings of
current approaches to
risk management.
Traditional Approach
to Managing Risks
Current State Failures Percentage of Respondents Agreeing
Key Opportunity for Legal
Legal Owns Risk Identification; IT/IS Designs and Implements Mitigation
Lawyers in the Department Are Equipped to Diagnose and
Understand Technology Risk
Company Policies Reflect How Employees Actually Consume
and Use Technologies
Employees Regularly Violate Company Information Policies 1
The Business Does Not Consider Legal & Compliance Risks When
Starting Information- or Technology-Related Projects
Legal Provides Formal Guidelines to Business Clients on Legal Risks
of Information-Related Projects
Efforts focus on risk
identification, tending
to own controls-based
and reactive activities.
Gather realistic risk
behavior inputs to better
understand current and
desired technology and
information use.
Design practical employee
programs that both
encourage the productive
use of new technology and
ensure compliance.
Enable risk-informed
business decision making
by providing clearer
guidance to the business.
Policies restrict access
to or use of emerging
technologies.
We rely upon the
business to escalate
questions or
information related to
new initiatives or
projects.
3
2
1
n = 128–130, except see Note 1.
Source: GCR Information Risk Survey, 2012.
1 Unit of measurement is percentage of employees surveyed indicating the rate at which they violate company information policies (as opposed to percentage of respondents agreeing with the statement); n = 1,236; Source: Cisco’s 2011 Connected World Technology Report.
66%
30%
48%
70%
26%
65%
8
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
ROADMAP FOR TODAY
1 Pseudonym.
Introductory Discussion: Governing Information Risk
Define LRC
Role
1
GCR Guidance:
Allocating Responsibility for
Information Risk Governance
Network-Based
Governance Structure
Influencing Employee and Business Information Risk Behaviors
Gather Realistic
Risk Behavior
Inputs
1
Power User-Led
Policy Development Mobile Device
Pilot Program
Design Practical
Employee Programs “Guiding Principles”-
Based Policies
Empowering Employee
Social Media Engagement
Enable Risk-
Informed Business
Decision Making
1
“Conscious Choice”
Decision Making Principles-Based
Decision Making
Risk Multiplier Discussion
Managing the Impact
of Mobile Devices
Risk Multiplier Discussion
Exploring the Cloud
Risk Multiplier Discussion
Influencing Employee
Social Media Activity
9
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
EXISTING AND UPCOMING CEB RESOURCES TO HELP ON RELATED CHALLENGES
Additional Resources
Records
Management Records Inventory Cataloging Tool
Records Management and E-Discovery Forum
Webinar Replay: New Approaches for Managing Electronic Records
10 Information Questions Every GC Should Ask the CIO
Records Management Policies, Sample Schedules, Training, and Audit Plans
Data Privacy Data Privacy Program Benchmarking, Checklists, Risk Assessments, and Training Templates
Updated Database of Data Privacy Regulations in More Than 25 Countries (Coming Soon)
Webinar Replay: Understanding Proposed EU Data Protection Reforms Webinar
E-Discovery Sample Discovery Response Plans
Cost-Effective Approaches for Electronic Discovery Webinar (Coming Soon)
E-Discovery Management and Vendors Benchmarking Results (Coming Soon)
Research Findings: The In-House Counsel’s Guide to Partnering for E-Discovery
Decision and
Diagnostic Tools
Executive Networking
Live and Online
Learning Events
Peer Benchmarks
Research and Insights
10
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
rOADMAP fOr tODAY
1 Pseudonym.
introductory Discussion: Governing information risk
1
GCR Guidance: Allocating Responsibility for Information Risk Governance
Network-Based Governance Structure
infl uencing employee and Business information risk Behaviors
Gather realistic risk Behavior inputs
1
Power User-Led Policy Development
Mobile Device Pilot Program
Design Practical employee Programs “Guiding Principles”-
Based Policies
Empowering Employee Social Media Engagement
enable risk-informed Business Decision Making
1
“Conscious Choice” Decision Making
Principles-Based Decision Making
risk Multiplier Discussion
Managing the Impact of Mobile Devices
risk Multiplier Discussion
Exploring the Cloud
risk Multiplier Discussion
Infl uencing EmployeeSocial Media Activity
Defi ne LRC role
11
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
DiscussiOn: wHO sHOuLD JOin tHe teAM?
Key information risk Management stakeholders
whether in a virtual or formalized team structure, Legal should ensure appropriate representation and allocation of responsibilities to balance diverse technical and functional considerations with legal and regulatory oversight.
■ Collaborative information risk efforts typically include the following:
– General Counsel
– Chief Marketing Officer
– Chief Information Officer
– Head of Human Resources
necessary information risk protections, relying on input from other departments to tailor initiatives to business needs.
Invite additional functional or business unit heads to join in information risk oversight to provide robust and enterprise-wide input into development of the information risk management program, ensure the program meets organizational needs, and minimize department push-back.
Human Resources
Information Technology/Information Security
Legal
■ Identifies necessary legal and regulatory requirements for information management
■ Assesses corporate risk exposure from various information and technology uses
■ Cascades mitigation efforts to various departments and business units as necessary
information technology and information security
■ Oversee implementation of technical requirements for information security
■ Classify data types and ensures protection of most sensitive information
■ Monitor systems for data breaches or vulnerabilities
Marketing and Human resources
■ Help identify sensitive information used in high-value internal efforts
■ Serve as key sources of insight into how the organization uses information and technology
■ Assist with implementing information management training across the organization
Division of information risk Management responsibilities
Derf 11-3533
catalog # GCR1055311SYN
title
Derf xx-xxxx
catalog # GCR3343912SYN
title
12
■ Legal & compliance typically work closely with IT to define LRC
Compliance
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
KeY tAKeAwAYs
Partner Across the Organization for effective information risk Management
Identify the appropriate owner for essential information risk management tasks, and work with key functional partners to develop an effective governance structure and assign clear ownership and accountability.
foster strong working relationships with information technology and information security
Partner closely with the Chief Information Officer and Chief Information Security Officer to understand the organization’s technological capabilities and incorporate legal considerations into new technology projects.
consider the composition of cross-functional committees
Rather than solely rely on functional experts, select highly networked members responsible for discrete areas of information risk to ensure better coordination with existing risk management efforts.
Derf xx-xxxx
catalog # GCR3343912SYN
title
13
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
roadmap For today
1 Pseudonym.
introductory discussion: governing information risk
1
GCR Guidance: Allocating Responsibility for Information Risk Governance
Network-Based Governance Structure
infl uencing employee and business information risk behaviors
gather realistic risk behavior inputs
1
Power User-Led Policy Development
Mobile Device Pilot Program
design practical employee programs “Guiding Principles”-
Based Policies
Empowering Employee Social Media Engagement
enable risk-informed business decision making
1
“Conscious Choice” Decision Making
Principles-Based Decision Making
risk multiplier discussion
Managing the Impact of Mobile Devices
risk multiplier discussion
Exploring the Cloud
risk multiplier discussion
Infl uencing EmployeeSocial Media Activity
defi ne lRC role
14
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
increasing mobility and prodUctivity throUgh technology Use
consumer technologies Used on a regular basis for work 1Percentage of Respondents by Attitudinal Profile 2
employees increasingly use a variety of tools and platforms in their day-to-day workflows, including employees who describe themselves as “skeptical” or “wary” of new technology.
■ Many of these social networking platforms and collaboration tools, while effective for productivity, do not yet have organizational approval.
n = 9,990 global employees.
Early Adopters
Open to New Technology
Skeptics/Wary/Uninterested in New Technology
Source: Infrastructure Executive Council Employee Technology Value Survey, 2011.
personally owned devices
collaboration/productivity tools
social networking technologies
communication tools
1 Percentage of respondents answering “Which Personal/Consumer Technologies Do You Use on a Regular Basis for Getting Work Done?”2 Multiple responses allowed.
78%
65%
51%59%
45%
32%39%
26%
15%
51%44% 40%
examples
15
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
derF 12-3491
catalog #
title
pervasive and pernicioUs
average secure behavior by organizationRanked by Companies’ Average Secure Index 1
insecure employee technology behaviorsBased on Questions from the Secure Behavior Index 1
with distinct preferences for the use of personal technology and social media at work, employees act in their perceived own best interests, unintentionally placing their organizations at greater risk.
■ Research from the Information Risk Executive Council shows that the average end-user displays insecure behavior 22% of the time.
participating organizations
90%
75%
60%
User compliance
rate
Lagging Organization
Best in Class
n = 57,000 employees at 60 companies.
average User compliance rate
78%
1. Leaving sensitive information unattended on desks or in other accessible locations
2. Sharing passwords with trusted co-workers to get at ask done better or more easily
3. Writing down one or more of work-related password so as not to forget them
4. Copying or e-mailing files containing sensitive information to enable work at home or on the road
5. Inconsistently securing a laptop physically with a cable or by locking it in a safe place while unattended
6. Opening e-mail attachments or links that do not seem business-relevant
1 The Secure Behavior Index is calculated from employees’ responses to six questions about the frequency of insecure behavior.
Source: Information Risk Executive Council research.
16
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
How do we ensure that policies accurately reflect employee behaviors and technology preferences to increase policy relevance and effectiveness?
power User-led policy development
tapping into Key technology Users in the business
challenge Key member Question approaches for discussion
Understanding employee technology and information Use
mobile device pilot program
1
1 Pseudonym.
gaining visibility into Future technology trends
Consider the permanency of and employee preferences for new technology uses to help design programs that minimize risk while delivering desired benefits.
gather realistic risK behavior inpUts
17
How do we gain insight into employee technology and information use and identify the risks posed to the organization?
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
QUestions to help identiFy power Users
sample Questions on employee attitudes and preferences for technology
identify “power users” to advise on policies that mitigate risks while still enabling preferred and productive use of technology.
Source: Infrastructure Executive Council research; General Counsel Roundtable research.
preferences for Using technology to complete work
■ Is technology important for the employee to complete his/her work? ■ Does the employee frequently use services and products as part of his/her job? ■ Does the employee identify technology offerings that would make him/her more successful in his/her job?
interest in Using technology to collaborate with peers
■ Does the employee like to share knowledge with peers? ■ Does the employee seek ways to collaborate and share work through technology?
willingness to Use technology to learn
■ Does the employee use or look for opportunities to use technology to learn something new? ■ Does the employee prefer technology delivery methods for work-related education?
desire to Use technology to work remotely
■ Does the employee spend a large percentage of his/her time away from his/her desk? ■ Is the employee comfortable with working remotely?
curiosity in Using more technology solutions
■ Does the employee seek to independently solve technology constraints? ■ Is the employee comfortable expressing opinions on technology needs? ■ Is the employee comfortable with using new tools implemented by IT? ■ Does the employee hold a track record of recommending new technologies to IT?
18
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
Key taKeaways
rely on demonstrated employee and business technology Use for policy and program development
Understand how employees use and access technology and information and build these considerations into program development to enhance compliance and minimize risk.
incorporate the input of technology “early adopters”
Create and access a network of key power users in the business, tapping into their knowledge about the role of technology in day-to-day employee activities to design programs that realistically account for and impact employee actions and behaviors.
test new technologies and information sources in the business
Create programs to pilot new or proposed technologies before widespread employee use to understand how employees use such tools to access and distribute information and to surface the concomitant legal and compliance risks and business benefits.
19
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
RoADmAp FoR ToDAY
1 Pseudonym.
introductory Discussion: governing information Risk
1
GCR Guidance: Allocating Responsibility for Information Risk Governance
Network-Based Governance Structure
infl uencing Employee and Business information Risk Behaviors
gather Realistic Risk Behavior inputs
1
Power User-Led Policy Development
Mobile Device Pilot Program
Design practical Employee programs “Guiding Principles”-
Based Policies
Empowering Employee Social Media Engagement
Enable Risk-informed Business Decision making
1
“Conscious Choice” Decision Making
Principles-Based Decision Making
Risk multiplier Discussion
Managing the Impact of Mobile Devices
Risk multiplier Discussion
Exploring the Cloud
Risk multiplier Discussion
Infl uencing EmployeeSocial Media Activity
Defi ne lRC Role
20
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
DERF xx-xxxx
Catalog # GCR3343912SYN
Title
n = 125.
Source: GCR Information Risk Survey, 2012.
Employee Data Privacy
Bring Your Own Device/Mobile Computing
E-Mail Communication
Social Media Acceptable Use
General Information Security
Website or Internet Privacy
Customer Data
Policies Related to Specific Regulations (e.g., HIPAA)
Third-Party Due Diligence and Compliance
Information Classification
79%
75%
74%
71%
70%
68%
67%
41%
37%
30%
An UnDERpERFoRming ConTRol EnviRonmEnT
Top 10 information policies Currently in place at member organizations Ranked by Percentage of Respondents
Source: Cisco’s 2012 Connected World Technology Report.
n = 245.
I’m Not Doing Anything Wrong
I Need Access to Programs Not Sanctioned
by the IT Policy
My Company’s IT Policy Isn’t Enforced
I’m Too Busy to Think About My
Company’s IT Policy
It Is Not Convenient
Top Five Employee Reasons for non-Compliance with Corporate iT policyPercentage of Employees1
■ While 50% of survey respondents prefer a restrictive approach to managing information risk, no correlation exists between restrictive approaches and the number of data disclosures experienced per year.
■ Employees regularly violate company information policies and lack accountability for protecting information, exacerbating existing legal, regulatory, and reputational risks.
33%
22%19% 18%
16%
1 Multiple responses allowed.
Nearly 70% of employees admit to violating company information policies at least some of the time.
lRC teams often use a “policy-first” approach to manage and reduce risks created by employee technology and information use.
departments are neutral in their assessment of whether their policies and training programs effectively mitigate employee-created risks.
■ CEB research indicates that the majority of legal
21
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
sUBvERTing soCiAl mEDiA ConTRols
Facebook Use by DevicePercentage of Facebook Users
Twitter Use by DevicePercentage of Twitter Users
n = 8,544. n = 978.
Office Computer Office ComputerMobile Device Mobile Device
Not Blocked on Office Computer
Blocked on Office Computer
Not Blocked on Office Computer
Blocked on Office Computer
DERF 10-5616
Catalog # IREC6688210SYN
Title HO: AER Chicago 09 22
Source: Information Risk Executive Council research.
38%
2%
33%35%
27%
12%
52%55%
DERF xx-xxxx
Catalog # CLEX3412412SYN
Title
22
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
“HARmlEss” BEHAvioRs?
impact of Employee Behaviors on Traditional Risks Selected
■ Employees’ autonomy and ability to acquire and share
insider Trading
Unauthorized Access
Discovery and litigation
Harassment and Discrimination
ip/Trade secret violations
Breached or lost Data
Regulatory and legal Consequences
Unsanctioned Internet Browsing
Portable Storage Devices (e.g., USB Drives)
Discussing Confidential or Proprietary Information on Social Media
Insufficient Passwords and Poor Password Protection
Transferring Company Data on an Unsecure Network
Downloading Unauthorized Software or Attachments
Sharing a Company Computer, Smartphone, or Tablet
Sending Confidential Information or Data Through Personal E-Mail
Using Unsanctioned Collaboration Tools
Storing Sensitive Information in a Personal Cloud
insecure or thoughtless actions by employees, compounded by increased access to company information and methods for distribution, intensify risks for companies.
information likewise increase the possibility, danger, and volatility of traditional legal and compliance risks.
23
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
Challenge Key member Question Approaches for Discussion
Creating Flexible policies from static guiding principles
Training Employees on Appropriate Behaviors
How do we create policies that provide consistent feedback but that can also adapt easily to changing technology needs or uses?
How do we allow employees to use new technologies while minimizing the potential risk impact of these uses?
“guiding principles”–Based policies
social media ninjas Training program
Shift focus toward creating practical policies and providing general guidance that enable employees to make sound and compliant decisions, while still benefitting from technology use.
DEsign pRACTiCAl EmploYEE pRogRAms
24
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
How To TRAin AnD ARm A ninJA
ninja Tools
To prepare ninjas for their role and provide ongoing support for success, sprint equips ninjas with a varied arsenal of tools and training.
■ Social Media Ninjas go through several phases of training and receive ongoing support from Sprint, which provides consistent messaging, reinforces Sprint policy, and reduces the risk of unauthorized disclosures or unacceptable behaviors.
5
4
initial workshopEvery Ninja goes
through a 90-minute initial training workshop
that covers Sprint’s social media policy and key social media
platforms.
Follow-Up TrainingEvery six weeks, Sprint offers more
advanced workshops addressing either specific to platforms or detailed information about products and services for discussion in social
media. Business units with unique training
or support needs can also receive
customized training.
2
sprint spaceSprint Space, a
discussion board for employees, provides Ninjas with additional
material and opportunities to communicate with each
other about social media issues, concerns, or experiences.
3
widgetsWhen providing Ninjas with suggested content, Sprint also provides widgets that allow the Ninjas to link directly to their profiles on three main social media platforms—Facebook, LinkedIn, and Twitter—and post the content quickly and easily.
Approved ContentIn response to participants’ requests for clear guidance on approved content, Sprint provides Ninjas with approved “copy and paste” ready material for use in posts and advice on strategic use of the provided content.
Existing sprint policiesSprint’s Social Media Ninjas program is informed by foundational Sprint
policies such as its code of conduct, disclosure policy,
information security policy, privacy policy, and non-harassment
policy.
6
1
25
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
KEY TAKEAwAYs
provide Realistic guidance to Employees on Appropriate Behavior
Account for employee technology needs and desires and create policies that enable continued use while providing clear guidelines on acceptable behaviors.
Use principles to guide policy Creation
Empower Employees to safely Engage with Desired Technologies
Provide staggered and directed training sessions to educate employees on their responsibilities when representing the company in the public sphere, and provide them with the opportunity and encouragement to defend the brand.
DERF xx-xxxx
Catalog # CLEX3412412SYN
Title
Avoid lawyers' traditional “rules-based” policy approach by balancing policy development and awareness with broadly applicable and memorable principles. Clarify the connections between specific and adaptable (as necessary, especially to respond to fast-moving technological developments and demand) rules and longer-term principles based in company values.
26
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
DERF xx-xxxx
Catalog # ■ IREC6672610PRO
Title
ROADMAP FOR TODAy
1 Pseudonym.
introductory Discussion: Governing information Risk
1
GCR Guidance: Allocating Responsibility for Information Risk Governance
Network-Based Governance Structure
infl uencing Employee and Business information Risk Behaviors
Gather Realistic Risk Behavior inputs
1
Power User-Led Policy Development
Mobile Device Pilot Program
Design Practical Employee Programs “Guiding Principles”-
Based Policies
Empowering Employee Social Media Engagement
Enable Risk-informed Business Decision Making
1
“Conscious Choice” Decision Making
Principles-Based Decision Making
Risk Multiplier Discussion
Managing the Impact of Mobile Devices
Risk Multiplier Discussion
Exploring the Cloud
Risk Multiplier Discussion
Infl uencing EmployeeSocial Media Activity
Defi ne lRC Role
27
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
2010 2011 2012 2013 2014 2015
100 160260
410
660
1,050
Estimated Rise in Global Data Volumes, 2010–2015 Indexed to 100
MORE DATA, MORE DEMANDThe amount of business information continues to grow, leading to higher business demand for technology to access this information.
■ “Big data” grows exponentially bigger as information volumes increase by 60% annually.
■ As technology evolves, corporate use of data grows in popularity, increasing the risks associated with its use.
■ Approximately 60% of companies report a measurable decrease in communication costs as a benefit of social technology adoption.
Changes in Technology Project Portfolios 2009–2010Percentage of Respondents Indicating Demand Changes 2
Source: “All Too Much,” The Economist, 27 February 2010; Insight IQ Diagnostic, 2011, IT Practice, Corporate Executive Board; AEC Peer Perspectives, Survey of Applications Executives, June 2011; “How Social Technologies are Extending the Organization,” McKinsey Quarterly, May 2012.
Increased
Flat
Decreased
n = 34 Applications Executive Council member institutions.
The types of technology projects being considered focus on the business’s desire for more analysis of corporate information and greater accessibility and sharing.
Business Intelligence/Analytics
Social Media
Mobile Applications
Software as a Service (Concur, Basecamp, NetSuite, Salesforce.com)
Customer Interface Applications (Web)
Collaboration (SharePoint, Lotus Notes)
94% 6%
87% 13%
81% 13% 6%
71% 26% 3%
68% 23% 9%
67% 33%
3%
0%
0%
0%
10%
6%
60% CAGR 1
2 Numbers may not equal 100% due to rounding.
1 Compound Annual Growth Rate.
DERF 12-2945
Catalog # GCR3343912SYN
Title
28
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
2.75%3.28%
1% Strongly Agree
8% Agree
27% Neither Agree Nor Disagree
16% Strongly Disagree
49% Disagree
liGhTiNG ThE PATh
Agreement That “Business Clients Consider legal, Regulatory, and Records-Related Risks when starting a New information-Related Project”Percentage of Respondents
Most general counsel worry that the business does not consider the risks associated with new projects, yet few provide the business with guidance.
recommend mid-course corrections due to its limited visibility into and influence on business needs and planned uses of technology or information assets.
n = 130.
More than 60% of respondents believe the business does not consider legal risks when starting an information- or technology-related project.
Only 26% of legal departments provide guidance to their business clients on the legal and regulatory risks to consider when starting a new project.
Source: GCR Information Risk Survey, 2012.
impact of legal’s Guidance on information Risk Management satisfaction 1Legal Satisfaction Rating from Strongly Disagree (1) to Strongly Agree (5)
n = 120.
1 Legal’s level of agreement with the statement “I am satisfied with the extent to which the company understands and manages the legal and compliance risks associated with different information channels and platforms.”
Legal Departments Providing Information and Technology
Project Risk Guidelines
Legal Departments Not Providing Information and Technology
Project Risk Guidelines
∆ = 18%
“Traditional technology projects were capital projects that had to be
vetted through capital investment processes. Now, most licensing and sub-contracting agreements currently hit individual expense budgets, which don’t follow the same process (and frankly, don’t always involve legal or iT). As a result, we’re spending a lot of time with individual business managers to educate them on the legal risks and implications.”Chief Privacy OfficerHospitality Industry
Note: Graph numbers may not total 100% due to rounding.
■ As a result, Legal cannot preempt the need for or
29
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
1 Pseudonym.
DERF 12-3164
Catalog # CLEX3412412SYN
Title
1
Challenge Key Member Question Approaches for Discussion
Providing Opportunities for Open Discussions on information Risks
Embedding Risk Considerations into Business Routines
How do we encourage the business to raise concerns about information risks prior to implementing new programs or initiatives?
“Conscious Choice”Decision Making
Principles-Based Decision Making
Provide clear, concise guidelines to the business to enable risk-based decisions regarding technology and information uses.
ENABlE RisK-iNFORMED BUsiNEss DECisiON MAKiNG
How do we guide the business to consider legal and compliance risks when determining to pursue new opportunities?
30
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
iNTEGRATiNG FORMAlizED DECisiON MAKiNG
Five Key Conscious Choice Questions to Aid Decision Making
Communicating the Concept to the Business
Allstate formalizes discussions of the risks of particular information uses by implementing Conscious Choice Decision Making to ensure decision makers mitigate risks and remain aware of risks that cannot be mitigated.
■ Allstate’s legal department condenses critical questions and decision factors onto portable cards employees can carry for quick reference during meetings.
■ Employees with risk-related concerns about particular uses of information can reach out to stakeholders and subject-matter experts, almost always including a lawyer, to meet and discuss all potential risks of the proposed initiative.
1. what is the business objective and who is the business decision maker?
2. what risks does this strategy present in the following areas?■ Regulatory/Legal?■ Reputation?■ Customer?
3. what strategies have you developed to mitigate the identified risks?
4. what are your contingency plans (if risks occur or circumstances change)?
5. what processes have you established to monitor implementation and reassess, as necessary, to ensure the planned strategy continues to be the best means to achieve the business objective?
Training sessions
■ Allstate creates temporary, standalone training to instill the Conscious Choice Decision Making concept in business managers and employees simultaneously.
■ Allstate incorporates the training into its strongly-encouraged management course: Leading with Integrity and Ethical Decision Making.
laminated Cards
■ Allstate prints the principles on laminated, 5” x 7” cards to emphasize the importance and permanent nature of the Conscious Choice Decision Making concept to the employee.
leadership Outreach
■ Allstate reaches out to thought leaders from the different functions and champions within the business units to promote the use of the meetings and provide assistance and introduces the concept to new officers within 90 days of hire or appointment through onboarding sessions and pre-packets.
Conscious Choice Decision Making: A simple, repeatable method for informed risk-taking that helps avoid unanticipated, negative consequences by ensuring that decisions are made based on a full consideration of options and the implications of actions.
DERF 12-3164
Catalog # CLEX3412412SYN
Title
31
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
GUiDiNG iNFORMATiON UsE DECisiONs
Principles–Based Guiding Questions
Recognizing how the perceived misuse of information can affect its brand, Alvarez’s legal team develops principles-based questions that the business can use to guide its decision making on initiatives that involve consumer information.
■ The legal department also uses the questions to inform business clients of the context of its decisions to pursue a particular use of information.
■ Alvarez embeds the principles-based questions into both live privacy training and in-person meetings.
is the proposed use of information legal?
If yes or uncertain:
Notice—Have we notified customers that we will be using their data in this manner? ■ What forms of notice would customers deem sufficient for this particular use? ■ Is this practical?
Consent—Did the customer consent to our use of their data in this manner? ■ Is it possible for the customer to make an informed choice allowing this particular use?
Risks—Have we evaluated all the potential unintended consequences that may stem from using the customer’s data in this manner?
■ Will this use surprise the customer? ■ What types of risks will be increased through this use and what mitigation tactics will alleviate them?
Opt-Out—Can the customer opt-out of our using their data in this manner? ■ If a technology barrier exists, do we need to increase the level of consent and notification?
impact—Have we considered the implications these data will have on our data security and records retention efforts?
■ How and where will these data be captured and stored? Is there a technical solution available?
■ Has IT Security been included in these conversations?
Alvarez asks a foundational question to establish that the desired business use of customer information does not violate any legal or contractual requirement. If the use does violate any legal or regulatory considerations, Alvarez will not pursue the opportunity.
If answers are “no” or “uncertain,” Legal typically evaluates with the business whether to disallow the use or request additional information or mitigation efforts.
1 Pseudonym.
1
DERF 12-3164
Catalog # CLEX3412412SYN
Title
32
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
AlTERNATiVE DECisiON CRiTERiA
Additional information Use Decision CriteriaSelected from Member Conversations
Build a set of decision criteria based on your organization’s risk profile and tolerance to guide business decision making on the potential use of information or technology.
DERF 12-2945
Catalog # GCR3343912SYN
Title
Regulatory/statutory Requirements
■ Does this use of information violate regulatory requirements that dictate how we may use or store this information? ■ What are the potential penalties for violating regulatory or statutory requirements regarding information use in this way?
■ Do we face scrutiny from a regulatory agency or a regulatory investigation if we use information in this manner?
industry Requirements
■ Are there industry standards that prevent such information use?
Customer Expectations
■ Do our customers expect we will use information in this manner? ■ Do our obligations to customers allow us to use information in this manner? ■ What are the consequences of violating customer expectations by using information this way?
Reputational harm
■ Is the use of information in this manner consistent with our brand philosophy? ■ If our customers discovered we used/treated information this way, would they stop doing business with us? ■ What impact could reputational damage related to our use of information this way have on our stock price, market share, or revenue?
Criminal liability
■ Does this practice or use of information open us up to criminal liability? ■ What are the criminal penalties for such information use?
Civil liability
■ Does this practice or use of information pose potential civil liability? ■ What are the civil penalties for such information use? ■ Could we face class action lawsuits over such activities?
33
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
KEy TAKEAwAys
Provide Business-level Guidance
Keep Guidance simple and Replicable
Avoid overly cumbersome risk assessment processes or decision criteria that make it difficult for the business to achieve its objectives and instead focus on simple, practical, and easy-to-apply principles to aid decision making.
Encourage Business Risk self-Assessments
Provide the business with a set of standard risk questions (including guidance on acceptable risk thresholds or escalation criteria) to facilitate self-assessments of the risks involved with new technology or information uses.
Enable the business to make risk-informed decisions about information and technology use through principles that take into consideration company values, reputational risks, and legal requirements.
34
© 2012 The Corporate Executive Board Company. All Rights Reserved. GCR3981712SYN
KEy TAKEAwAys FOR ThE DAy
Technology Developments Magnify Existing Risks, Not Create New Ones
Rather than introduce new-to-world risks, many information- and technology-related developments are actually the channels by which existing risks are magnified, accelerated, and dispersed. While actual impact will depend on a company’s industry, type and complexity of information handled, and geographic footprint, these developments collectively push companies’ risk exposure beyond acceptable (and manageable) levels.
legal’s Cautious Approach is ineffective in This Environment
To manage information risks, legal departments often create controls and requirements that are too restrictive and impractical, tending to overlook the business opportunities and unstoppable employee behavior associated with these challenges. Rather than manage down companies’ risk exposure to more acceptable levels, these overly restrictive policies and controls can instead hide risks and, in turn, increase risk exposure.
Leading legal departments focus instead on the following actions to appropriately manage the risks and opportunities associated with these technology developments:
35
1. Establish Clear, Effective information Risk Governance structures Legal may be tempted, on the one hand, to control information risk initiatives or, on the other, to abdicate and defer ownership entirely. However, the inter-disciplinary nature of information risk management requires effective collaboration by LRC with other functional partners. With varying degrees of formality and administrative effort, LRC must choose the model appropriate to its organization that ensures a balance among key stakeholders and internal experts. Assign key task ownership carefully and deliberately—the most “obvious” function responsible for an activity may not, in fact, be the most effective.
2. Create Practical, Realistic Employee-Facing Policies and Programs On average, employees demonstrate a propensity for insecure behavior 22% of the time; however, Legal often bases its responses on a limited understanding of employee demand and preferences for new technology tools and platforms. Recognizing that typical tools fail to address the risks associated with employee behavior, leading LRC teams assess both the opportunity costs of prohibition and realistic means of enforcement, in addition to considering employee preferences, when developing policies and programs.
3. Ensure Deliberate Decision Making As technology evolves, the business use of data grows in both popularity and complexity, amplifying the associated risks. In this ambiguous, rapidly changing environment, most business units do not consider legal and regulatory risks in their decision making, while their legal advisors rarely provide appropriate and sufficient guidance on how to do so and have limited visibility into the organization’s use of and desire for emerging information technologies. Leading companies enable the business to make risk-informed decisions about information and technology use through principles that take into consideration company values, reputational risks, and legal requirements, while keeping themselves informed of the business’s technology uses and needs by actively tracking and assessing technology developments.